diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix
index 279b26bb8957..25367f8e61d4 100644
--- a/nixos/modules/services/printing/cupsd.nix
+++ b/nixos/modules/services/printing/cupsd.nix
@@ -108,6 +108,13 @@ let
   containsGutenprint = pkgs: length (filterGutenprint pkgs) > 0;
   getGutenprint = pkgs: head (filterGutenprint pkgs);
 
+  parsePorts = addresses: let
+    splitAddress = addr: lib.strings.splitString ":" addr;
+    extractPort = addr: builtins.elemAt (builtins.tail (splitAddress addr)) 0;
+    toInt = str: lib.strings.toInt str;
+  in
+    builtins.map (address: toInt (extractPort address)) addresses;
+
 in
 
 {
@@ -172,6 +179,15 @@ in
         '';
       };
 
+      openFirewall = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to open the firewall for TCP/UDP ports specified in
+          listenAdrresses option.
+        '';
+      };
+
       bindirCmds = mkOption {
         type = types.lines;
         internal = true;
@@ -463,6 +479,13 @@ in
 
     security.pam.services.cups = {};
 
+    networking.firewall = let
+      listenPorts = parsePorts cfg.listenAddresses;
+    in mkIf cfg.openFirewall {
+      allowedTCPPorts = listenPorts;
+      allowedUDPPorts = listenPorts;
+    };
+
   };
 
   meta.maintainers = with lib.maintainers; [ matthewbauer ];
diff --git a/nixos/tests/printing.nix b/nixos/tests/printing.nix
index 7df042e72e90..29c5d810f215 100644
--- a/nixos/tests/printing.nix
+++ b/nixos/tests/printing.nix
@@ -19,6 +19,7 @@ import ./make-test-python.nix (
       startWhenNeeded = socket;
       listenAddresses = [ "*:631" ];
       defaultShared = true;
+      openFirewall = true;
       extraConf = ''
         <Location />
           Order allow,deny
@@ -26,7 +27,6 @@ import ./make-test-python.nix (
         </Location>
       '';
     };
-    networking.firewall.allowedTCPPorts = [ 631 ];
     # Add a HP Deskjet printer connected via USB to the server.
     hardware.printers.ensurePrinters = [{
       name = "DeskjetLocal";